You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@portals.apache.org by ta...@apache.org on 2016/03/29 04:26:15 UTC
svn commit: r1736939 - /portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml

Author: taylor
Date: Tue Mar 29 02:26:15 2016
New Revision: 1736939

URL: http://svn.apache.org/viewvc?rev=1736939&view=rev
Log:
adding CVE-2016-2171 to list of 2.3.0 vulnerabilities

Modified:
    portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml

Modified: portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml
URL: http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml?rev=1736939&r1=1736938&r2=1736939&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml (original)
+++ portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml Tue Mar 29 02:26:15 2016
@@ -30,6 +30,7 @@
             <li><a href='#CVE-2016-0710'>CVE-2016-0710:  SQL injection in User Manager service</a></li>
             <li><a href='#CVE-2016-0711'>CVE-2016-0711:  Persistent Cross Site Scripting in links, pages and folders</a></li>
             <li><a href='#CVE-2016-0712'>CVE-2016-0712:  Reflected Cross Site Scripting in URI path</a></li>
+            <li><a href='#CVE-2016-2171'>CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security</a></li>
         </ul>
         </section>
         <section name="2.3.1 Release CVE Reports">
@@ -150,6 +151,33 @@ title="Minimize" class="action portlet-a
                     ]]></source>
             </p>
             </subsection>
+
+            <a name="CVE-2016-2171"/>
+            <subsection name="CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security">
+                <table>
+                    <tr><td>Severity: </td><td>Important</td></tr>
+                    <tr><td>Vendor: </td><td>The Apache Software Foundation</td></tr>
+                    <tr><td>Versions Effected:</td><td> Jetspeed 2.3.0</td></tr>
+                    <tr><td>Mitigation:</td><td>2.3.0 users should upgrade to 2.3.1</td></tr>
+                    <tr><td>Credit:</td><td>This issue was discovered by ï»¿Andreas Lindh</td></tr>
+                    <tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+                </table>
+
+                <h4>Description:</h4>
+                <p>
+                    The Jetspeed User Manager services are vulnerable to unauthorized access. The following APIs are not restricted by Jetspeed Security:
+                </p>
+                <source><![CDATA[
+                    GET http://host/jetspeed/services/usermanager/users/
+                    GET http://host/jetspeed/services/usermanager/users/{name}/
+                    POST http://host/jetspeed/services/usermanager/users/{name}/
+                    POST http://host/jetspeed/services/usermanager/users/
+                    DELETE http://host/jetspeed/services/usermanager/users/{name}/
+                ]]></source>
+                <p>
+                    In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed Security, requiring Administrative rights.
+                </p>
+            </subsection>
         </section>
 
     </body>